While data protection is a broad topic involving a complex variety of stakeholders, processes and technologies, this article focuses on data encryption methods. A strategy for data protection should consider two types of data access: unlawful and lawful.
Summary
Swiss companies should choose their Cloud Encryption Key Management Strategy wisely. We suggest that organisations categorise data into classes, and choose the Cloud Encryption Key Management Strategy for a given data-class, based on the degree of protection this class deserves. This judgement incorporates an organisation’s data governance on one side, and regulatory and legal requirements on the other side. With the increased level of data protection, an increased effort for managing and operating the system is also implied.
There are four main approaches to encryption key management in the cloud. Fundamentally, there is a trade-off to be made between keeping control over your keys and benefitting from a fully managed cloud service. Cloud customers wishing to retain more control will need to invest more effort to manage the additional complexity.
How?
The CSP generates, holds and manages the encryption keys. All aspects of the encryption key lifecycle are managed by the CSP and the encryption services is fully embedded into the cloud services of the given CSP. As an example: In an object storage service like AWS S3, Azure Blob Storage or GCP Cloud Storage your data objects are encrypted upon upload and decrypted upon read-write without your conscious involvement.
Pros:
Cons:
How?
With CMEK you use encryption key material generated and provided by the CSP, but take over the responsibility of managing the encryption keys within the Cloud platform yourself.
Pros:
Cons:
How?
With CSEK the customer generates the encryption keys and provides them to the Cloud platform for encrypting and decrypting of the customers data. CSEK keys must be made available to each CSP service as and when they are needed. CSEK places full responsibility for key generation, ownership and management on the customer.
Pros:
Clients can withdraw the key at any time; from that point of time, the CSP has no access to the data.
Cons:
How?
The customer encrypts data on premises before sending it into the Cloud platform, which means that the customer not only takes ownership for the generation and management of encryption keys, but also of the encryption process itself. All data that is received by the CSP has already been encrypted by the customer.
Pros:
Cons:
A number of our Swiss customers consider that leveraging CMEK (i.e. using a CSP-provided key management service) is sufficient to protect their data from foreign authorities. Through experience, they have become confident that the CSP does not have a backdoor method to share these keys without the customer's knowledge and authorisation. We have heard from customers that two factors in particular add to their confidence:
Cloud customers who feel that an additional layer of encryption key control is desirable bring or hold their own keys. However, these methods call for additional effort and some cloud services may not be supported. However, as enterprises are increasingly transitioning from being simply compliant to being truly secure, major cloud service providers are actively enhancing their encryption offerings that rely on client-managed keys. Each cloud customer should evaluate the comparable benefits and risks, and determine which key management model may best meet their requirements.